[hackthebox]Heist

heist1

Enumeration

This section describes the reconnaissance techniques used to find foothold to start, the purpose is to understand the machine before issuing attacks.

nmap enumeration

nmap -A -p- -oN heist -vvv 10.10.10.149
The machine is listening to these services:

  1. tcp/135 – rpc, possible to enumerate with rpcclient.
  2. tcp/445 – SMB, check whether the smb is vulnerable to eternal blue, and check if smbserver accepts anonymous connection, if a credential is found check if user account is allowed to enumerate shares.
  3. tcp/80, http web service, check if there are more directories with dirbuster or gobuster or wfuzz, check if there are some files with these extensions: txt, php, htm, html, aspx, asp exists with enumeration, also checks if there are vhosts with gobuster. Attempt to visit the website and use burpsuite.
  4. tcp/5985, remote assistance, this is a good sign to use evil-winrm to connect remotely to the machine. If a credential is obtained but connection to winrm has failed this could mean either the credential is outdated or the credential is not within the Remote Management Users group.
  5. tcp/49669, this is a dynamic ms rpc port.
# Nmap 7.80 scan initiated Wed May  6 14:58:45 2020 as: nmap -A -p- -oN heist -vvv 10.10.10.149
Nmap scan report for 10.10.10.149
Host is up, received syn-ack (0.17s latency).
Scanned at 2020-05-06 14:58:45 +08 for 523s
Not shown: 65530 filtered ports
Reason: 65530 no-responses
PORT      STATE SERVICE       REASON  VERSION
80/tcp    open  http          syn-ack Microsoft IIS httpd 10.0
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-title: Support Login Page
|_Requested resource was login.php
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
445/tcp   open  microsoft-ds? syn-ack
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49669/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 3m25s
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 54452/tcp): CLEAN (Timeout)
|   Check 2 (port 48515/tcp): CLEAN (Timeout)
|   Check 3 (port 25486/udp): CLEAN (Timeout)
|   Check 4 (port 50469/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-05-06T07:10:16
|_  start_date: N/A

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed May  6 15:07:28 2020 -- 1 IP address (1 host up) scanned in 522.85 seconds

From the nmap scan, the smb version is 2, which is unlikely affected by eternalblue.

Can RPC accepts anonymous connection? If so can I enumerate?

rpcclient -U "" -N 10.10.10.149
Unfortunately the connection is ACCESS DENIED.
heist2

Can SMB server accepts anonymous connection? If so can I enumerate?

Access is denied, unfortunately.
heist3

Check out the website

Does the web application have any variables? Or is the website static?
heist4

From burpsuite the login page has three variables:
heist6

From the view page source there is another variable known as guest.
heist7

Login as guest and see what will be next

Guest login redirects to an issues.php page.
heist8

Clicking on the attachment reveals a cisco ios configuration file.
heist9

What can I know about the config.txt?

The configuration file reveals credentials there are a total three passwords two of them are in password 7 which is an insecure encryption which purpose is to obfuscate passwords from prying eyes behind an administrator’s back, it’s purpose is not to provide confidentiality through strong cryptography but more of “security through obscurity”. Another password is an enable secret password which is a MD5 hash.

I use this online decryptor to decrypt cisco’s password 7.
For username rout3r the password is $uperP@ssword.
heist10

For username admin the password is:
heist11

For the enable secret’s md5 I use hashcat, which has a module for cracking cisco ios md5.
heist12

hashcat -m 500 -a 0 enable_secret_hash /usr/share/wordlists/rockyou.txt -o cisco_enable_secret

where -m is the hash mode id, -a is the attack mode which I chose straight attack mode, enable_secret_hash is the text file I saved for my enable secret md5 hash, /usr/share/wordlists/rockyou.txt is the wordlist for bruteforcing the password, and -o is the output file.
heist13heist14
the enable secret is stealth1agent.

Can these found passwords related to windows connection?

The known usernames gathered so far are rout3r, admin and hazard, hazard is the user who had registered a support with config.txt as attachment.

Gather the usernames and passwords into text files and use smb_login to check which one succeeds in login. The purpose is not to bruteforce any password, the purpose is to test which password belongs to which username efficiently.
heist15
heist16
A match is found username is hazard and password is stealth1agent.

Does hazard have smb share?

smbmap -u hazard -p stealth1agent -H 10.10.10.149
heist17

Yes, hazard does have an IPC$.

Can hazard enumerate IPC$?

heist18

No, there is nothing to enumerate…
heist18

Can hazard logon to windows via evil-winrm?

heist19
So hazard is not a member of Remote Management user group.

Can hazard get a psexec through smb IPC$?

heist20

heist21

It looks like hazard cannot gain windows access through psexec…

Looking for more users through sid lookup

impacket has a script known as lookupsid.py which can be used to enumerate usernames with sid.

python3 ../tools/impacket/examples/lookupsid.py 10.10.10.149/hazard:stealth1agent@10.10.10.149
heist22
There are three new usernames found, put these new usernames into a text file and use smb_login to try to see if any usernames matches the passwords found from the config.txt.

support
Chase
Jason

I excluded the builtin accounts such as administrator, Guest, DefaultAccount, WDAGUtilityAccount, None.

heist23
heist25

A match is found.

Foothold

The username account – chase is identified, can this account gain access to windows via evil-winrm?
heist26
I have gained a foothold within windows with account chase.

Get the user flag

heist27

Find out chase’s privileges

whoami /all
I am trying to look if chase has misconfigured user group such as Exchange Windows Permissions which has a WriteDacl permission or Account Operator which is capable creating non-Domain Admin and non-Administrators accounts, this group is capable of assigning groups to the new user.
heist28
Nothing special…

See what is currently running

heist29
Access denied??? One thing I learned about getting running process is if the actual cmd line fails I should try the powershell cmdlet.

Get-Process
heist30

There are several instances of firefox, which could mean there is a chance which credentials can be fished from the firefox process…

Process dumping

To get the procdump download from https://download.sysinternals.com/files/Procdump.zip.

To stream line the process to display only firefox Get-Process -name firefox
heist31

The Id column is the process id of firefox.
I am choosing ID 6964.

I upload the procdump64.exe to windows.
heist32

Then I run ./procdump.exe -accepteula -ma 6964 firefox.dmp where -ma is the process id or the binary name in this case there are more than one instances of firefox so i chose a specific process id, firefox.dmp is the dump file name which is arbitrary.
heist33

Then issue download firefox.dmp to download the dump file into my linux machine.
heist34

I have gotten the php variables previously which are login_password, login_username and login.
I use strings firefox.dmp | grep -i login_password to filter the contents I am most interested with.
heist35

Privilege escalation

Login to the support page with admin@support.htb brought me to the same page as guest login, exactly the same….

So could this account be administrator’s?

the password found is 4dD!5}x/re8]FBuZ due to an exclamation mark in the password linux interpreted it as calling history, hence I will need to enter the password into the password prompt instead of writing it explicitly.

the root flag is in the rendezvous.
heist36

Cleaning up

heist37

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s